Group of Popular “Camgirl” Websites Expose Millions of Members and Users

• VTS Media exposed the users and members of its websites through an unprotected database.
• The company was also found to be violating their own data privacy policy and terms and conditions.
• Being based in Barcelona, Spain, the entity needs to comply with EU’s GDPR regulations.

A number of websites belonging to VTS Media have exposed their own members, as well as their users - after the company left a database unprotected and accessible online. The database was left like that for weeks, before researchers of the "Condition:Black" cybersecurity firm discovered and reported it to the owners. The websites that have been exposed are "amateur.tv", "webcampornoxxx.net", and "placercams.com". These websites host live video feeds from "sex workers" who are paid by the visitors in the form of tokens. This is a rising trend in the porn industry, as the element of personalized entertainment has brought up a new dimension in the market.

However, it looks like VTS Media wasn’t very honest with the people who subscribed to its platforms. As the researchers point out, the exposed database contains information that the users never knew it was being logged in the first place, contrary to what is detailed in the data privacy policy and terms and conditions. The level of user activity monitoring went beyond what was defined by the agreements, and this makes the incident a serious case of a legal compliance violation, even if we leave the personal data leak aside.

The unprotected database contained daily logs of member activities going many months back in time. The records included usernames, IP addresses, private chat messages, promotional emails, login attempts, and passwords. Unfortunately, the usernames and passwords were stored in plaintext form, which adds the possibility of account takeover and credential stuffing attacks. As for the users, VTS Media logged which videos they liked to watch and what they rented, creating a sexual preference profile for them. All that said, if you were a member or a registered user of one of the above websites, change your password there, and anywhere else you may be using it.

VTS Media hasn’t provided an official response or a comment on the incident, and their legal department is likely already considering the implications. Being a Europe-based entity, they fall under the GDPR regulations, so they may be asked to pay 4% of their annual turnover as a penalty for violating GDPR. Of course, the Spanish data and consumer protection may step in the investigation too, potentially imposing another fine for VTS Media deceiving its users with fake data and privacy policies. A class lawsuit submitted by the sex workers would also help on that part.

Do you have anything to comment on the above? Share your thoughts with us in the section beneath, or on our socials, on Facebook and Twitter.